Compliance in the Modern Age: Building Effective Privacy Programs With Gretchen Herault

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy Professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hello, I am Justin Daniels. I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:58

And this episode is brought to you by ding! Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our best-selling book Data Reimagined: Building Trust one Byte at a Time, visit redcloveradvisors.com. Well, hello, hello.

Justin Daniels 1:35

So I have a question for you. So for our listeners out there, our sponsor, Red Clover Advisors had a big moment. They got a Pacesetter Award for being one of the top 100 growing businesses in Atlanta. And so, Jodi, I’m just curious, that was a day and now you’re back to the normal, everyday grind of your business. What did that mean for you? Oh,

Jodi Daniels 1:59

it was really a special moment because it means all the hard work paid off. It was a nice recognition to be able to see so much time with wonderful clients and podcast listeners and supporters who trusted us enough to be able to help those companies comply with privacy laws. And it was a really fun special time. There’s all kinds of cool pictures on LinkedIn.

Justin Daniels 2:27

Did Well anyway, with that.

Jodi Daniels 2:30

How did it feel for you?

Justin Daniels 2:32

How did it feel for me? I thought it was a pretty big moment. You started the business in 2017. And here it is. Seven years later and you’re going then was my point of what I wrote about today with the turtle is slow and steady wins the race

Jodi Daniels 2:47

Slow and steady wins the race. Yes, and turtles are really cute just as long as you made sure so if you didn’t, Justin saw a turtle on his mountain bike ride and he came home all focused on the turtle. And I was very focused on why the turtle in the middle of the bike trail is the turtle. Okay, did you stop to help the turtle near the water? Did you pick up the turtle? For everyone concerned? The turtle appears to be okay. That was my main focus was turtle safety. All right, but back to privacy. So today I’m very excited. We have Gretchen Herault who is the Chief Privacy Officer at Randstad USA and global job board, Monster.com. She has held several privacy leadership roles including Chief Privacy Officer at Haven Healthcare, HIPAA Privacy Officer at GE Healthcare, and Chief Privacy Officer at Nuance Communications. So Gretchen Welcome to the show.

Gretchen Herault 3:42

Thank you. I’m very happy and honored to be here.

Jodi Daniels 3:44

We won’t talk about turtles the whole time. They’re so cute.

Justin Daniels 3:50

I hit a mark. So Gretchen, you have a really interesting career working for some pretty impressive brands. Talk to us a little bit about your journey and how you got to where you are today.

Gretchen Herault 4:03

I think like a lot of people I didn’t start out in privacy. I was a law clerk first and then spent a lot of time in financial services doing market conduct compliance. And so I think having a lengthy career in compliance, I eventually ended up specializing and focusing on privacy, I think because there’s a lot of opportunity to get into technology, particularly newer technologies. And that was an area of interest for me.

Jodi Daniels 4:40

Where you are now at Randstad. Can you share a little bit of the structure of the privacy program like where does it sit? I get asked this question all the time, where should Where does privacy belong? And then also kind of curious, is it centralized? Or is it a bit of a decentralized Is there a Matrix Model?

Gretchen Herault 5:00

It’s a little bit of a mix, I would say. So Randstad USA is the US subsidiary of Randstad NV, which is headquartered in the Netherlands. And so we have a global privacy function. And then each operating subsidiary in the regions where Randstad exists has a privacy function as well. So that’s where my role comes in. And I have a small team as well, I’d say we’re mostly centralized for most activities that we do. Within Randstad US.

Jodi Daniels 5:04

So Gretchen, does that mean for example, let’s take the US arm. Does that privacy functions set within legal and or in a compliance group? And then how can you share a little bit about how your team have their privacy function and all the operational pieces set up? In other words, so some people have steering committees, some people, you know, have ongoing meetings? How, how do you have your structure.

Gretchen Herault 6:13

So our privacy team is part of the legal function within Randstad US And then I also have a dotted line to our global privacy officer to report to him on the status of key activities or risks, and so forth. But we report up to our chief legal officer in the US. And then we work very closely with our security team, of course. And our Sissoko, incidentally, is named Gretchen H

Jodi Daniels 6:51

very clear, you’re gonna have sports jerseys.

Gretchen Herault 6:57

So people aren’t sure where to go to they can just come to both or either one of us, and we can figure it out. But we have what we call a data protection and information security steering committee, that is made up of, obviously, members of the privacy and security teams, but also other functional areas of the business to help guide us and give us the inputs on the projects that we’re working on. So that we can make sure that we can implement, implement the requirements that we need to without, you know, too much disruption of the business and try and make it as seamless as possible.

Jodi Daniels 7:43

And my last functional setup question is, a lot of times people will say, who should I have on my team? What are the backgrounds? So can you share? For example, do you have other attorneys on your team? Do you have non attorneys on your team? I think that would be really helpful.

Gretchen Herault 8:00

I do have two attorneys on my team. And I also have one non-attorney who’s a privacy analyst. And I think it’s important to have a mixture of both. And I think there’s a heavy focus on having attorneys on one team. And I think sometimes that focus is a little misplaced, because I think there’s a lot of opportunities for contributions from people who aren’t attorneys. And I think it lends some diversity of thought into how things are done, and probably helps keep the lawyers in check with some practicality as well. So I’m a big proponent of a mixture of both attorneys and non attorneys. My other thing that I look for is usually some kind of international experience, whether it’s living abroad or being from another country, or you know, fluency or proficiency in another language. I think those things are really helpful in the privacy world because it helps give people a cultural understanding that strongly impacts privacy as well.

Jodi Daniels 9:31

I love how you mentioned that non-attorneys have a role because as the non-attorney out of this little podcast crew here today, I do think in all seriousness though, a blend is really valuable because that practical and the business pieces and some of their experience matched with the legal analysis is very helpful. That appears to be a very helpful phrase today very helpful. I’ve said that like 400 times I’m just All about being helpful today. Oh,

Justin Daniels 10:01

I guess I wanted to ask both of you a question, which is, I actually have a client, and we’re working on a couple of important transactions that were actually operationalizing. How we might anonymize data makes us a less risky vendor. And so I’m just curious from your perspective, Gretchen. And Jodi, do you think where a non-lawyer really adds value is that operational piece because there’s one part which is the legal advice, but then there’s kind of how do you really operationalize a, you know, data minimization or operationalize a DSR request? I’d What is your perspective on that? Gretchen? Yeah, I

Gretchen Herault 10:40

think that that can help operationalize things, just understanding. Maybe not only the written policies, but then how people actually do things is really important. And so someone with more background in the business itself or deeper into the business can help bring that to everyone’s attention as they formulate how they’re going to approach that.

Jodi Daniels 11:09

I would really agree, I think being able to try and explain it in business terms and business speak, and being able to identify and pull out the relevant pieces that the individual frontline and each different functional group needs to do is very important. And that’s what I think those business minded privacy team members can bring. Is that enough? Well,

Justin Daniels 11:39

staffing companies have a lot of personal information and more privacy laws keep passing what are we at like 17. Now

Jodi Daniels 11:46

17, past 16 sign

Justin Daniels 11:48

There you go. So what have you found to be successful in building a privacy program that covers this data under this hatch quilt of laws?

Gretchen Herault 12:00

Well, I think most of my background was previously working in a much more global role than currently. And so I had to implement GDPR in prior roles. So for me, I felt it was a lot like implementing GDPR a few years ago, where a lot of companies made the decision to go with the strictest standard. And that way they can have mostly one way of doing things. And it makes the operations much easier. So I think, for us, we felt like California was leading the charge, and eventually either other states would adopt something similar. Or maybe there would even be a federal law adopted. And so we just realized, like, maybe we should just get ready for the fact that eventually there could be 50 state laws covering the work that we do and the data that we have.

Jodi Daniels 13:14

Gretchen, when you were sharing, you know, adopting GDPR and California, one of the questions I’m asked a lot is, How do I align all the differences and look at the differences across the states? Can you share maybe one or one or the two ways that your team tries to approach understanding and keeping up with the changes?

Gretchen Herault 13:35

Yeah, for us, we decided, really right away when CCPA was adopted, that we would apply the rights for data subjects across the board, regardless of their state of residence. And that was really, because we felt it would be a lot easier operationally. We didn’t think we’d be overwhelmed by requests to respond to so that we thought that it would be an acceptable approach. We thought it was good for our candidates and talents, talent as far as their experience with Randstad, and simply kind of the right thing to do. So I think our experience as other states have come online has borne that out where we have not seen a huge increase in requests. We still do get requests from people who are in states where they don’t have those rights. But I think it’s also because they’re hearing about what’s happening in other states, and they’re assuming that they have those rights. So I do think the trend is in that direction. And if you’re going to turn down someone’s request, I think you might have some difficult follow-up afterward, just because the trend is heading that way, and maybe consumers right now don’t really understand that.

Jodi Daniels 15:14

One day all companies will honor Jodi and Justin and Georgia. But not this year. Now this year, we were maybe going to have some rights for about a minute. Not anymore. Except for companies like Randstad, like my current job, so I won’t be in their database anytime soon. Okay, I like my job.

Justin Daniels 15:38

I understand. So, Gretchen, we touched on this in the pre show, but what is the biggest challenge that the privacy team is facing at this particular moment?

Gretchen Herault 15:51

I think right now, for us, it’s a, I think there’s a lot of eagerness for people to be using AI tools working with them. And that’s regardless of where they sit in an organization. So you know, people are really jumping on the AI bandwagon, so to speak. So I feel like there’s a lot of noise around that. Because, you know, we see things in the news every single day about it. Especially in our privacy and security, focused reading, we’re seeing a lot about it, too. But for most companies, we’re not developing our own large language models, and so forth. Most companies are probably purchasing tools to be used in their business, I think some of it is a little bit overhyped and distracting. And kind of need to, I would say, stick to our knitting. And to address the risks that AI presents to an organization.

Jodi Daniels 16:59

Gretchen, how much is the privacy team getting involved in some of these discussions? That sounds like it. For example, I’ve been talking to other companies and so much of their work, the privacy team is now AI compared to regular privacy pieces. And then other companies are trying to, obviously they want to be involved. And they also have a broader AI committee where it’s a little bit more even.

Gretchen Herault 17:27

We’re definitely involved. And I would say for us, it’s a little bit not cross functional, but cross specialty, because in the industry that we’re in, it’s also an employment rights kind of issue, the use of AI, in making hiring, firing, rating decisions. And so, you know, we see the New York City Law that came out about a little over a year and a half ago, I think. And so you have so we work together, making sure that we’re, you know, aware of the tools that are being used in our organization and betting them both under Privacy laws and the employment laws that may apply.

Jodi Daniels 18:14

For new privacy teams that are on the ground getting stood up, or maybe just a new privacy director in a company, what would you recommend? What advice would you offer them?

Gretchen Herault 18:28

I would say probably take stock of what’s in place already. You know, I think a lot of times, you can walk into an organization as a new person and be told, Oh, we don’t have anything in place or we don’t do privacy well. So I think whether you do a real formal workup, or assessment, or do something informally by meeting with people, you can take stock of what’s already there and build from that. So you know, I’ve personally would focus on the externally facing things like a website and those DCR processes to sort of keep people from complaining about your practices, make sure that you aren’t doing any anything obviously incorrectly so that you can do you know, give yourself some bandwidth and some time to then work on the other more fundamental things.

Jodi Daniels 19:34

It makes a lot of sense and I very much agree with the outside approach that does not mean we don’t pay attention to what’s on the inside. Right? However, anyone, your customers, your prospects and regulators can all see what is happening on the outside so you should really get that one in shipshape. ready then. Why are you looking at me strangely, you don’t like my shipshape?

Justin Daniels 19:59

Like It’s interesting. So, Gretchen, could you share your perspective on what you think your best privacy or security tip might be?

Gretchen Herault 20:12

What do you mean for someone’s personal life?

Justin Daniels 20:15

Yeah, let’s say we’re at a cocktail party and people know what you do. And they say, hey, what can I do in my personal life to improve my privacy or security? If you might have a tip?

Gretchen Herault 20:27

I would say use a password manager. That’s my number one.

Jodi Daniels 20:34

Good one, not 123 Apparently, and when the week we’re recording, it’s password day later this week. You should not use the password 123 Even if you use a password manager. Really popular or password?

Justin Daniels 20:48

You’ve never remembered Spaceballs? No.

Jodi Daniels 20:53

Remember, I get movies fail, move.

Justin Daniels 20:56

Yes. As long as we’re clear on

Jodi Daniels 20:57

We’re okay, it’s okay. I’m comfortable with that movie.

Justin Daniels 21:02

So Gretchen, I’m curious from a password manager perspective, do you use any kind of secret phrases over top of your password even if they were to get into your password manager, they still might not know the full password or any other things around password managers that you have thought of.

Gretchen Herault 21:20

One thing I’ve thought of it sort of in a different way is maybe more in the sense of if you’re caring for other relatives. Make sure that people know how to access everything.

Jodi Daniels 21:35

It’s a really, really important piece. Gretchen thanks for highlighting it. That’s a good tip. Yeah. Gretchen when you are not building privacy programs and studying AI tools. What do you like to do for fun?

Gretchen Herault 21:49

Um, I like to read. I like ice skating. I love to travel, try new restaurants. And yeah, spend time with my family and our dog.

Jodi Daniels 22:06

Well, Gretchen, thank you so much for sharing. We really appreciate it. If people would like to connect and learn more, where can they go?

Gretchen Herault 22:13

They can find me on LinkedIn or they can email me directly at Gretchen.herault@randstadusa.com.

Jodi Daniels 22:24

Wonderful. Well, Gretchen, thank you again.

Gretchen Herault 22:25

Thank you it was a pleasure to be with you here today.

Outro 22:35

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.